KeystoneAuth1

5.13.1 · active · verified Sat Apr 11

KeystoneAuth1 is the common authentication library for OpenStack clients, providing a standard way to handle authentication and service requests within the OpenStack ecosystem. It is designed to simplify writing new clients and works in conjunction with existing OpenStack clients. The current stable version is 5.13.1, with releases typically tied to the OpenStack development cycle, offering frequent updates and bug fixes.

Warnings

breaking Migration from `python-keystoneclient` to `keystoneauth1` required significant import path changes and a different API for session management. The `Session` class moved from `keystoneclient.session` to `keystoneauth1.session`.
Fix: Update all `Session` imports to `from keystoneauth1 import session` and adapt code to the new `keystoneauth1.session.Session` API. Consult the official 'Migrating from keystoneclient' guide for detailed instructions.
gotcha Encountering `keystoneauth1.exceptions.discovery.DiscoveryFailure` often indicates an incorrect `auth_url`, a misconfigured Keystone endpoint, or issues with SSL certificate verification. The error message 'Could not find versioned identity endpoints when attempting to authenticate' is common.
Fix: Verify the `auth_url` is correct and accessible. Ensure the Keystone service is running and properly configured. If using HTTPS, confirm that SSL certificates are valid and correctly configured, and that any necessary CA certificates are trusted by the client environment. Check network connectivity to the Keystone endpoint.
gotcha When working with SSL/TLS, `keystoneauth1` might raise `SSLError` or `ConnectionError` if certificate verification fails or the connection times out. This can be due to self-signed certificates, missing CA certificates, or network issues.
Fix: Ensure the certificate chain for your Keystone endpoint is trusted. You can specify a CA bundle using the `cacert` parameter when creating a `Session`. For development/testing, `insecure=True` can temporarily disable SSL verification, but this is not recommended for production.

Install

pip install keystoneauth1 Install stable version

Imports

Password
```
from keystoneauth1.identity import v3; auth = v3.Password(...)
```
Authentication plugins for different API versions (v2, v3) are found under `keystoneauth1.identity` and then the specific version submodule (e.g., `v3`).
Session
```
from keystoneauth1 import session; sess = session.Session(...)
```
KeystoneAuth1 introduced its own `Session` class, replacing the one previously used from `python-keystoneclient`.
Adapter
```
from keystoneauth1.adapter import Adapter
```
The Adapter class provides a consistent way to interact with OpenStack services.

Quickstart

This quickstart demonstrates basic V3 password authentication using environment variables for credentials. It initializes a V3 password authentication plugin and creates a session, then attempts to retrieve an authentication token.

import os
from keystoneauth1 import session
from keystoneauth1.identity import v3

# Environment variables for authentication
OS_AUTH_URL = os.environ.get('OS_AUTH_URL', 'http://localhost:5000/v3')
OS_USERNAME = os.environ.get('OS_USERNAME', 'admin')
OS_PASSWORD = os.environ.get('OS_PASSWORD', 'password')
OS_PROJECT_NAME = os.environ.get('OS_PROJECT_NAME', 'admin')
OS_USER_DOMAIN_NAME = os.environ.get('OS_USER_DOMAIN_NAME', 'Default')
OS_PROJECT_DOMAIN_NAME = os.environ.get('OS_PROJECT_DOMAIN_NAME', 'Default')

# Configure authentication plugin
auth = v3.Password(
    auth_url=OS_AUTH_URL,
    username=OS_USERNAME,
    password=OS_PASSWORD,
    project_name=OS_PROJECT_NAME,
    user_domain_name=OS_USER_DOMAIN_NAME,
    project_domain_name=OS_PROJECT_DOMAIN_NAME
)

# Create a session
sess = session.Session(auth=auth)

# Example: Authenticate and get a token (actual API calls would use sess.get(), sess.post(), etc.)
try:
    token = sess.get_token()
    print(f"Successfully authenticated. Token: {token[:10]}...")
except Exception as e:
    print(f"Authentication failed: {e}")

view raw JSON →